CVE-2025-53446
Published: 18 December 2025
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Beautique beautique allows PHP Local File Inclusion.This issue affects Beautique: from n/a through <= 1.5.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the PHP file inclusion flaw in the Beautique WordPress theme, directly eliminating the vulnerability.
Mandates validation of user-supplied filenames prior to use in PHP include/require statements, preventing local file inclusion exploits.
Implements boundary protections such as web application firewalls to block network inputs containing path traversal or malicious filename payloads targeting the vulnerability.
Security SummaryAI
CVE-2025-53446 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion, in the axiomthemes Beautique WordPress theme. The flaw allows PHP Local File Inclusion and affects Beautique versions from n/a through 1.5. Published on 2025-12-18, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.
The vulnerability can be exploited by unauthenticated attackers over the network, though it requires high attack complexity and no user interaction. Successful exploitation enables high-impact confidentiality, integrity, and availability violations through local file inclusion in the affected PHP code.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/beautique/vulnerability/wordpress-beautique-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an LFI in a public-facing WordPress theme, directly enabling exploitation of public-facing web applications via unauthenticated remote access.